On the Safari 18.2 release candidate on MacOS and iOS, Webauthn authentication ceremonies fail if all of the following conditions are met: * The user is attempting to fulfil the webauthn authentication request with a FIDO security key * CTAP2 is unavailable, and communication with the security key must take place over CTAP1 (U2F), such as on YubiKey 4 and earlier models, or Yubikey 5 series and later with FIDO2 disabled. * The Relying Party ID (RPID) of the webauthn request is sufficiently long, or has more than two parts, such as demo.yubico.com. Note that short, two part RPID’s like webauthn.io deem to be unaffected. * The webauthn request sets user verification to “discouraged” This has the potential to affect any relying party that uses webauthn as a second factor, with users that are still using U2F devices. It will not affect relying parties that require user verification, because those situations are already incompatible with CTAP1/U2F. Steps to reproduce: 1. Find a U2F device, or configure a YubiKey with FIDO2 disabled, and U2F enabled 2. Go to https://demo.yubico.com/webauthn-developers 3. create a new credential with the default settings (attachment unspecified, residentKey discouraged, userVerification preferred, attestation direct) 4. attempt to authenticate (assert) with the credential that was just made, with userVerification set to discouraged Expected Behavior: The security key is usable to satisfy the webauthn request Observed Behavior: The browser does not react to inserting/tapping the security key or the user presence gesture. Affected security keys: * Any security key where U2F / CTAP1 is the only supported protocol. Verified on the YubiKey 4, YubiKey 5 and the Google Titan v1